b"                                           November 8, 2012\n\n\nThe Honorable Michael J. Astrue\nCommissioner\n\nThe Chief Financial Officers Act of 1990 (CFO) (Pub. L. No. 101-576), as amended, requires\nthat the Social Security Administration\xe2\x80\x99s (SSA) Inspector General (IG) or an independent\nexternal auditor, as determined by the IG, audit SSA's financial statements in accordance with\napplicable standards. Under a contract monitored by the Office of the Inspector General (OIG),\nGrant Thornton, LLP, an independent certified public accounting firm, audited SSA's Fiscal Year\n(FY) 2012 financial statements. Grant Thornton, LLP, also audited the FY 2011 financial\nstatements presented in SSA\xe2\x80\x99s FY 2012 Performance and Accountability Report for comparative\npurposes. This letter transmits the Grant Thornton, LLP, Independent Auditor\xe2\x80\x99s Report on the\naudit of SSA\xe2\x80\x99s FY 2012 financial statements. Grant Thornton, LLP\xe2\x80\x99s, Report includes the\nfollowing.\n\n\xe2\x80\xa2   Opinion on Financial Statements\n\xe2\x80\xa2   Opinion on Management's Assertion About the Effectiveness of Internal Control\n\xe2\x80\xa2   Report on Compliance and Other Matters\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to obtain reasonable assurance about whether the\nfinancial statements are free of material misstatement. An audit includes examining, on a test\nbasis, evidence supporting the amounts and disclosures in the financial statements. An audit also\nincludes an assessment of the accounting principles used, and significant estimates made, by\nmanagement as well as an evaluation of the overall financial statement presentation.\n\nGrant Thornton, LLP, conducted its audit in accordance with auditing standards generally\naccepted in the United States; Government Auditing Standards issued by the Comptroller\nGeneral of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-04,\nAudit Requirements for Federal Financial Statements. The audit included obtaining an\nunderstanding of the internal control, testing and evaluating the design and operating\neffectiveness of the internal control, and performing such other procedures as considered\nnecessary under the circumstances. Because of inherent limitations in any internal control,\nmisstatements due to error or fraud may occur and not be detected. The risk of fraud is inherent\nto many of SSA\xe2\x80\x99s programs and operations, especially within the Supplemental Security Income\nprogram. In our opinion, people outside the organization perpetrate most of the fraud against\nSSA.\n\n\n\n                WEB: OIG.SSA.GOV | FACEBOOK: OIGSSA | TWITTER: @THESSAOIG | YOUTUBE: THESSAOIG\n                          6401 SECURITY BOULEVARD | BALTIMORE, MD 21235-0001\n\x0cPage 2 \xe2\x80\x93 The Honorable Michael J. Astrue\n\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\n\nGrant Thornton, LLP, issued an unqualified opinion on SSA\xe2\x80\x99s FY 2012 and 2011 financial\nstatements. However, Grant Thornton, LLP, stated SSA had not maintained effective internal\ncontrol over financial reporting based on criteria under the Federal Manager\xe2\x80\x99s Financial\nIntegrity Act of 1982 (FMFIA).\n\nIn its audit, Grant Thornton, LLP, identified five deficiencies in internal control that, when\naggregated, are considered to be a material weakness in controls over information security.\nSpecifically, Grant Thornton, LLP\xe2\x80\x99s, testing disclosed\n\n1. lack of monitoring controls and implementation of policy related to the configuration and\n   content of information on SSA Intranet Webpages,\n2. lack of controls related to the identification and monitoring of high-risk programs operating\n   on the mainframe,\n3. The Agency\xe2\x80\x99s vulnerability testing was not sufficient to identify critical weaknesses in SSA\xe2\x80\x99s\n   information technology environment,\n4. lack of a comprehensive profile and access recertification program, and\n5. lack of appropriate controls to prevent programmer access to the production environment.\n\nIn addition to the material weakness, Grant Thornton, LLP, noted additional deficiencies in\ninternal control that, when aggregated, are considered to be a significant deficiency related to\nweaknesses in internal control related to monitoring activities and overall control environment.\nSpecifically, Grant Thornton, LLP\xe2\x80\x99s, testing disclosed\n\n1. lack of consideration and resolution of audit findings that were reported in the Management\n   Letter for the past two FYs;\n2. lack of a comprehensive process for SSA\xe2\x80\x99s quality review feedback forms; and\n3. lack of appropriate documentation for disability reviews; various approvals for certain\n   transactions; and Overpayments detection and associated Waivers.\n\nGrant Thornton, LLP, identified no reportable instances of noncompliance with the laws,\nregulations, or other matters tested.\n\nOIG Evaluation of Grant Thornton, LLP, Audit Performance\n\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality\nof the audit work performed, we monitored Grant Thornton, LLP\xe2\x80\x99s, audit of SSA's FY 2012\nfinancial statements by\n\x0cPage 3 \xe2\x80\x93 The Honorable Michael J. Astrue\n\n\n\xe2\x80\xa2   reviewing Grant Thornton, LLP\xe2\x80\x99s, audit approach and planning;\n\xe2\x80\xa2   evaluating its auditors qualifications and independence;\n\xe2\x80\xa2   monitoring the audit\xe2\x80\x99s progress at key points;\n\xe2\x80\xa2   examining Grant Thornton, LLP\xe2\x80\x99s, documentation related to planning the audit, assessing\n    SSA's internal control, and substantive testing;\n\xe2\x80\xa2   reviewing Grant Thornton, LLP\xe2\x80\x99s, audit report to ensure compliance with Government\n    Auditing Standards and OMB Bulletin No. 07-04;\n\xe2\x80\xa2   coordinating the issuance of the audit report; and\n\xe2\x80\xa2   performing other procedures we deemed necessary.\n\nGrant Thornton, LLP, is responsible for the attached auditor\xe2\x80\x99s report, dated November 8, 2012,\nand the opinions and conclusions expressed therein. The OIG is responsible for technical and\nadministrative oversight regarding Grant Thornton, LLP\xe2\x80\x99s, performance under the terms of the\ncontract. Our review, as differentiated from an audit in accordance with applicable auditing\nstandards, was not intended to enable us to express, and accordingly we do not express, an\nopinion on SSA\xe2\x80\x99s financial statements, management\xe2\x80\x99s assertions about the effectiveness of its\ninternal control over financial reporting, or SSA\xe2\x80\x99s compliance with certain laws and regulations.\nHowever, our monitoring review, as qualified above, disclosed no instances where Grant\nThornton, LLP, did not comply with applicable auditing standards.\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies of\nthis report to appropriate congressional committees with oversight and appropriation\nresponsibilities over SSA. In addition, we will post a copy of the report on our public website.\n\n\n\n\n                                              Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                              Inspector General\n\nEnclosure\n\x0c                                                                                                                Audit \xef\x82\x96 Tax \xef\x82\x96 Advisory\n                                                                                                                Grant Thornton LLP\n                                                                                                                333 John Carlyle Street, Suite 500\n                                                                                                                Alexandria, VA 22314-5745\n                                                                                                                T 703.837.4400\n                                                                                                                F 703.837.4455\n                                                                                                                www.GrantThornton.com\n\n\n\n\nHonorable Michael J. Astrue\nCommissioner\nSocial Security Administration\n\n\n\n                                                       Independent Auditor\xe2\x80\x99s Report\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n                 \xef\x82\xa7        The consolidated balance sheets of the SSA as of September 30, 2012 and 2011, and the related\n                          consolidated statements of net cost and changes in net position, and the combined statements of\n                          budgetary resources for the years then ended, and the statements of social insurance as of\n                          January 1, 2012 and January 1, 2011 and statement of changes in social insurance amounts for the\n                          periods January 1, 2011 to January 1, 2012 and January 1, 2010 to January 1, 2011 are presented fairly,\n                          in all material respects, in conformity with accounting principles generally accepted in the United\n                          States of America;\n\n                 \xef\x82\xa7        SSA did not maintain effective internal control over financial reporting as of September 30, 2012; and\n\n                 \xef\x82\xa7        No reportable instances of noncompliance with laws, regulations, or other matters tested.\n\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of the SSA as of September 30, 2012 and 2011,\nand the related consolidated statements of net cost and changes in net position, and the combined statements of\nbudgetary resources for the years then ended, and the statements of social insurance as of January 1, 2012,\nJanuary 1, 2011 and January 1, 2010 and the statements of changes in social insurance amounts for the periods\nJanuary 1, 2011 to January 1, 2012 and January 1, 2010 to January 1, 2011. These financial statements are the\nresponsibility of SSA\xe2\x80\x99s management. Our responsibility is to express an opinion on these financial statements\nbased on our audits. The statements of social insurance as of January 1, 2009 and 2008 were audited by other\nauditors whose reports dated November 9, 2009 and November 7, 2008 expressed an unqualified opinion on\nthose statements.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States of America\nestablished by the American Institute of Certified Public Accountants (AICPA); the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States;\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                             2\n\n\nand Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.\nThose standards require that we plan and perform the audit to obtain reasonable assurance about whether the\nfinancial statements are free of material misstatement. An audit includes examining, on a test basis, evidence\nsupporting the amounts and disclosures in the financial statements. An audit also includes assessing the\naccounting principles used and significant estimates made by management, as well as evaluating the overall\nfinancial statement presentation. We believe that our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above and presented on pages 110 through 144 of this\nPerformance and Accountability Report (PAR), present fairly, in all material respects, the financial position of SSA as of\nSeptember 30, 2012 and 2011, and its net cost of operations, changes in net position, and budgetary resources for\nthe years then ended, and the financial condition of its social insurance program as of January 1, 2012 and\nJanuary 1, 2011 and changes in social insurance amounts for the period January 1, 2011 to January 1, 2012, in\nconformity with accounting principles generally accepted in the United States of America.\n\nHowever, misstatements may nevertheless occur in other financial information reported by SSA and may not be\nprevented or detected because of the deficiencies noted in the opinion on internal control below.\n\nAs discussed in Note 17 to the financial statements, the statements of social insurance present the actuarial present\nvalue of the SSA's estimated future income to be received from or on behalf of the participants and estimated\nfuture expenditures to be paid to or on behalf of participants during a projection period sufficient to illustrate\nlong-term sustainability of the social insurance program. In preparing the statement of social insurance,\nmanagement considers and selects assumptions and data that it believes provide a reasonable basis for the\nassertions in the statements. However, because of the large number of factors that affect the statement of social\ninsurance and the fact that future events and circumstances cannot be known with certainty, there will be\ndifferences between the estimates in the statement of social insurance and the actual results, and those differences\nmay be material.\n\nOPINION ON INTERNAL CONTROL\n\nWe have audited SSA\xe2\x80\x99s internal control over financial reporting as of September 30, 2012, based on criteria\nestablished under 31 U.S.C. 3512(c), (d), commonly known as the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n(FMFIA). We did not test all internal controls, relevant to the operating objectives broadly, defined by FMFIA.\nSSA\xe2\x80\x99s management is responsible for maintaining effective internal control over financial reporting and for its\nassertion of the operating effectiveness of internal control over financial reporting included in the accompanying\nFMFIA Assurance Statement on page 47 of this PAR. Our responsibility is to express an opinion on SSA\xe2\x80\x99s\ninternal control over financial reporting based on our audit.\n\nWe conducted our audit in accordance with attestation standards established by the AICPA; the standards\napplicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States; and OMB Bulletin No. 07-04, as amended. Those standards require that we plan and perform the\naudit to obtain reasonable assurance about whether effective internal control over financial reporting was\nmaintained in all material respects. Our audit included obtaining an understanding of internal control over\nfinancial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and\noperating effectiveness of internal control based on the assessed risk, and performing such other procedures as we\nconsidered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.\n\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                           3\n\n\nAn Agency\xe2\x80\x99s internal control over financial reporting is a process affected by those charged with governance,\nmanagement, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable\nfinancial statements in accordance with generally accepted accounting principles. An Agency\xe2\x80\x99s internal control\nover financial reporting includes those policies and procedures that ( 1 ) pertain to the maintenance of records that,\nin reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the Agency;\n( 2 ) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial\nstatements in accordance with generally accepted accounting principles, and that receipts and expenditures of the\nAgency are being made only in accordance with authorizations of management and those charged with\ngovernance; and ( 3 ) provide reasonable assurance regarding prevention, or timely detection and correction of\nunauthorized acquisition, use, or disposition of the Agency\xe2\x80\x99s assets that could have a material effect on the\nfinancial statements.\n\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct\nmisstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that\ncontrols may become inadequate because of changes in conditions, or that the degree of compliance with the\npolicies or procedures may deteriorate.\n\nA deficiency in internal control over financial reporting exists when the design or operation of a control does not\nallow management or employees, in the normal course of performing their assigned functions, to prevent or detect\nand correct misstatements on a timely basis.\n\nA significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting\nthat is less severe than a material weakness, yet important enough to merit attention by those charged with\ngovernance. We identified certain deficiencies in internal control related to benefit payment oversight that, in the\naggregate, are considered to be a significant deficiency.\n\nA material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting,\nsuch that there is a reasonable possibility that a material misstatement of the Agency's financial statements will not\nbe prevented, or detected and corrected on a timely basis. We identified certain deficiencies in Information\nSystems Controls that, in the aggregate, are considered to be a Material Weakness.\n\n                                                       Material Weakness - Information Systems Controls\n\nSSA\xe2\x80\x99s business processes which generate the information included in financial statements are dependent upon the\nAgency\xe2\x80\x99s information systems. A comprehensive and effective internal control program over these systems is\ncritical to the reliability, integrity, and confidentiality of data while mitigating the risk of errors, fraud and other\nillegal acts.\n\nOverview\nManagement relies extensively on information systems operations for the administration and processing of the\nTitle II and Title XVI programs, to both process and account for their expenditures. Internal Controls over this\nenvironment are essential for the reliability, integrity, and confidentiality of the program\xe2\x80\x99s data and mitigate the\nrisks of error, fraud and other illegal acts.\n\nOur internal control testing covered both general and application controls. General Controls encompass the\nentity-wide security program (EWSP), access controls (physical and logical), change management, segregation of\nduties, system software, and service continuity plans and testing. General controls provide the foundation for the\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                                           4\n\n\nintegrity of systems, and combined with application level controls, are critical to ensure accurate and complete\nprocessing of transactions and integrity of stored data. Application controls include controls over input,\nprocessing of data, and output of data. Our audit included testing of the Agency\xe2\x80\x99s mainframe, networks and\napplications and was conducted at headquarters as well as Disability Determination Services Centers (DDS) and\nProgram Service Centers (PSC).\n\nDeficiencies Noted in Information Systems\nWhile the SSA has made efforts to strengthen controls over its systems and address the outstanding significant\ndeficiency in Information Security, our testing identified general control issues in both design and operation of key\ncontrols. We noted weaknesses in the following areas:\n\n        \xe2\x80\xa2        Entity Wide Security Program\n        \xe2\x80\xa2        Access Controls\n        \xe2\x80\xa2        Compensating Controls\n\nEntity-Wide Security Program: These programs are designed to ensure that security threats are identified, risks\nare assessed, control objectives are appropriately designed and formulated, relevant control techniques are\ndeveloped and implemented, and managerial oversight is consistently applied to ensure the overall effectiveness of\nsecurity measures. EWSPs afford management the opportunity to provide appropriate direction and oversight of\nthe design, development, and operation of critical system controls. Deficiencies in the programs can result in\ninadequate access and configuration controls affecting mission-critical, system-based operations. Our testing\nidentified the following issues:\n\n        \xe2\x80\xa2        Lack of monitoring controls and implementation of policy related to the configuration and content of information on SSA\n                 intranet web pages.\n\n                 During our testing we were able to obtain security and Personal Identifiable Information (PII) data that\n                 was accessible due to the misconfiguration of SSA systems. While testing was terminated after gaining\n                 control of a single server, the information obtained enabled us to take control of the SSA\xe2\x80\x99s Windows\n                 network. These issues increase the risk that sensitive data is accessible to unauthorized personnel which\n                 may be used or disclosed inappropriately.\n\n                 The Agency is currently in the process of implementing new software that will assist in the identification\n                 of inappropriate information being posted.\n\n        \xe2\x80\xa2        Lack of controls related to the identification and monitoring of high risk programs operating on the mainframe.\n\n                 During the change management process, management does not perform an impact assessment to\n                 determine security implications for significant mainframe programmatic changes. For example,\n                 management does not perform assessments for changes to programs in the Authorized Program Facility\n                 (APF) libraries (i.e. Services (SVCs), user SVCs, and exits). In addition, management does not have a\n                 comprehensive process to periodically review the privileged programs added to the SSA mainframe\n                 environment to ensure that all privileged programs have been approved, modified appropriately, and pose\n                 no security risks.\n\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                                                    5\n\n\n                 Without performing specific assessments of the impact of program changes to the system security\n                 framework, there is an increased risk that the security posture and controls may be bypassed or\n                 compromised.\n\n        \xe2\x80\xa2        Insufficient vulnerability testing is conducted by the Agency for the identification of critical weaknesses in their information\n                 technology environment.\n\n                 During our internal penetration testing we were able to gain access to restricted information and ultimately\n                 assume control over a server without detection. Although via a different method, this is the second year\n                 in a row we have been able to utilize an internal network drop to gain control of the SSA Windows system\n                 without detection. Management\xe2\x80\x99s failure to conduct robust enterprise focused penetration testing\n                 increases the risk that unauthorized access may occur and go undetected, allowing privileged information\n                 or critical infrastructure to be compromised.\n\n                 The Agency currently performs security assessments related to specific implementations and projects but\n                 does not conduct enterprise wide penetration testing (simulated attacks from a malicious user).\n\nAccess Controls: Access controls provide assurance that critical systems assets are physically safeguarded and\nthat logical access to sensitive applications, system utilities, and data is provided only when authorized and\nappropriate. Access controls over operating systems, network components, and communications software are also\nclosely related. These controls mitigate the inherent risk that unauthorized users and computer processes cannot\naccess sensitive data. Weaknesses in such controls can compromise the integrity of sensitive data and increase the\nrisk that such data may be inappropriately accessed and/or disclosed. Our testing identified the following issues:\n\n        \xe2\x80\xa2        Lack of a comprehensive profile and access recertification program.\n\n                 Our testing disclosed that policies and procedures to periodically reassess the content of security access\n                 profiles had been developed but not implemented consistently throughout the Agency. This issue\n                 increases the risk of inappropriate access and user rights, which allows individuals an opportunity to\n                 perform transactions or access restricted information outside of their job responsibilities. During our\n                 testing we identified personnel with inappropriate access.\n\n                 This is a recurring issue identified as part of the Significant Deficiency in prior years. The Agency is\n                 working to remediate its profile and access recertification program and plans for a full implementation of\n                 this control in Fiscal Year (FY) 2013.\n\n        \xe2\x80\xa2        Lack of appropriate controls to prevent programmer access to the production environment.\n\n                 Our testing identified programmers with unmonitored access to production data for a benefit payment\n                 application. This is of heightened concern as this access did not exist in the prior fiscal year and based on\n                 inquiry with management was caused by human error. This issue increases the risk that programmers\n                 could make unauthorized changes to the production environment without detection and without a\n                 comprehensive recertification process discussed above. There is no current control that would have\n                 identified this error in a timely manner.\n\n                 The Agency has implemented a secondary user ID process to allow programmers to access production\n                 data through a highly monitored, time-limited process. During our testing we determined this control was\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                                      6\n\n\n                 not operating effectively. For example, we identified instances where programmers were issued a\n                 secondary user ID; however, their access was not approved and reviewed for more than six months after\n                 they accessed production.\n\n                 While our testing did not disclose that any inappropriate changes were made to the production\n                 environment, a risk existed.\n\nCompensating Controls\nManagement has identified several areas of compensating controls to mitigate the risks related to the deficiencies\nabove; however, our testing identified control deficiencies for the majority of these controls. The following\nhighlights several of the control deficiencies identified related to these compensating controls:\n\n\n        1. Change control\n              \xe2\x80\xa2 Our testing noted a failure of the operational effectiveness of the controls related to\n                 documentation and approval of changes to financially relevant applications. This included both\n                 routine and emergency changes.\n        2. Physical access\n              \xe2\x80\xa2 During FY 2012, a comprehensive physical access recertification was not performed; including\n                  access to the data center. Management is currently working to implement an automated process;\n                  however, this was not in place during FY 2012.\n                          \xe2\x80\xa2        Our testing identified multiple instances of control failures during our review of the SSA 4395\n                                   Form process (the form used to request and approve physical access to SSA facilities). For\n                                   example, we identified forms that did not include approval signatures, physical access justification,\n                                   and disapproved employees that were provided physical access.\n                          \xe2\x80\xa2        During testing of terminated contractors, we identified a control failure related to removing\n                                   contractor physical access (from the physical access system) upon termination. Specifically, we\n                                   noted instances where terminated contractors were identified as having active physical access\n                                   during our testing.\n                          \xe2\x80\xa2        During a related physical security audit, auditors identified a contracted network engineer was\n                                   found unsuitable for contract employment at the SSA by the Office of Personnel Management.\n                                   That contracted employee maintained physical access to the SSA facilities for approximately one\n                                   year after the unsuitable determination was made. This employee was immediately removed from\n                                   the contract upon notification to the appropriate SSA personnel.\n        3. Logical access\n              \xe2\x80\xa2 Our testing identified control failures related to the appropriate use of the SSA 120 Forms (the\n                  forms used to request and approve logical access to SSA systems and applications). Included in\n                  these control failures were instances of new hires, transferred employees, state DDS employees,\n                  and contracted employees.\n                          \xe2\x80\xa2        During a related logical security audit, auditors identified a DDS system user ID (also known as a\n                                   PIN) that was in use after the employee associated to the ID was terminated to access the system.\n                                   Management confirmed that no transactions were executed with the terminated employee\xe2\x80\x99s ID,\n                                   but is currently investigating how this occurred.\n\nRecommendations\nIn order to mitigate the risks of the issues noted in the material weakness, management should consider\nimplementing:\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                          7\n\n\n        \xe2\x80\xa2        Monitoring controls designed to identify configurations within the SSA network and systems environment\n                 that are not in compliance with the SSA system configuration policy. In addition, management should\n                 consider implementing controls to identify and track content on SSA intranet web pages that may pose a\n                 risk to the security of SSA systems, or the confidentiality of SSA data;\n        \xe2\x80\xa2        A comprehensive program to identify and monitor high risk programs operating on the\n                 mainframe. Consider including the identification of programs that may pose security risks to the SSA\n                 mainframe prior to them being loaded onto the production environment;\n        \xe2\x80\xa2        Comprehensive enterprise-wide security vulnerability testing, including simulated penetration attacks, in\n                 order to identify critical weaknesses in the information technology environment that may not be identified\n                 by the current control processes.;\n        \xe2\x80\xa2        A comprehensive profile and access recertification program; and,\n        \xe2\x80\xa2        Additional controls to prevent unauthorized programmer access to the production environment.\n\n                                                       Significant Deficiency - Benefit Payment Oversight\n\nSSA has extensive operations geographically dispersed throughout the United States, spanning over 1,200 field\noffices (FO), 10 regional offices (RO) and 52 state operated DDS offices. In order to ensure consistent processing\nof transactions related to benefit payments across the numerous physical locations, SSA has detailed policies and\nprocedures as well as an internal control system related to authorization, payment, and continuation of benefit\npayments. Adherence to policies and procedures are critical to decisions being made timely and correctly by the\nAgency. In order to ensure compliance with these policies and procedures, management\xe2\x80\x99s internal control\nstructure is designed to prevent and/or detect inaccuracies and deviations which can occur throughout the process\nwhich relies heavily on human input and decisions.\n\nOverview\nOur testing identified control deficiencies that could impact the accuracy of benefit payments related to the\nfollowing components of internal control: Monitoring and Control Environment. These components are critical\nto the overall function of the SSA control environment and are necessary to ensure the accuracy of benefits\npayments in an organization where extremely high volumes of relatively low dollar amount transactions are\nprocessed.\n\nMonitoring and Control Environment Deficiencies\nOur testing noted deficiencies in SSA Monitoring Controls and Control Environment in the key areas noted\nbelow. Many of these exceptions have recurred over the past two fiscal years and have been reported in prior\nManagement Letters.\n\n        CDRs - Continuing Disability Reviews (CDRs) are performed by management to determine if existing\n        beneficiaries receiving payments based on disability continue to meet the medical eligibility criteria. This\n        process is critical to the establishment of continued eligibility of beneficiaries receiving disability benefits and\n        has been identified as a key control by management as part of their OMB Circular A-123 assessment process.\n        Our testing of CDR cases determined that some CDRs were not documented in accordance with SSA policies,\n        for example physician approvals of final determinations were missing. However, for our sample, we were able\n        to obtain sufficient evidence to conclude the final CDR determinations met the medical criteria established by\n        SSA.\n\n        Improper documentation increases the risk of incorrect determinations and prevents the Agency from\n        properly supporting decisions, impacting the accuracy and validity of SSA\xe2\x80\x99s recorded benefit payments.\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                               8\n\n\n\n        Quality Assurance (QA) - The QA processes conducted by Office of Quality and Performance (OQP)\n        reviews the work being performed through various workloads within the SSA, including a review of CDRs\n        conducted. This process has been identified as a key control by management as part of their OMB\n        Circular A-123 assessment process. Our testing of the QA processes related to the review of the CDRs\n        conducted by the DDS determined the following:\n\n                   \xe2\x80\xa2       Communication of detected errors to responsible parties for resolution and performance\n                           improvement was not performed. By not communicating deficiencies noted, a key step in improving\n                           overall performance and quality is circumvented.\n                   \xe2\x80\xa2       QA reviews were not completed accurately based on SSA\xe2\x80\x99s policies and procedures. Inaccurate\n                           completion of QA reviews may result in ineligible beneficiaries receiving payments, which by statute,\n                           SSA may not be able to terminate.\n                   \xe2\x80\xa2       The QA process does not include procedures to update and verify SSA records outside of the QA\n                           systems. The lack of updates and verification with beneficiary records may compromise decisions\n                           made by management and lead to improper payments.\n\n        SSA-93 Forms: SSA management has claims review processes in place within OQP. OQP processes are\n        considered key controls by management for the oversight of benefit payments. When an OQP claim review\n        detects a discrepancy or inaccuracy, a Quality Review Feedback Form (SSA-93 Form) is produced to notify the\n        applicable office that a correction is needed. Our testing identified, SSA-93 Forms are not being completed\n        timely, accurately or completely. In addition, the SSA does not have a comprehensive process to track\n        outstanding SSA-93 Forms and determine accuracy or timeliness of completion.\n\n        The lack of a comprehensive process related to identified findings negates the effectiveness of the OQP\n        program and allows known payment errors to go uncorrected and inaccurate data to be maintained.\n\n        Overpayments - Overpayments occur when beneficiaries receive payments beyond their entitled amount.\n        Our testing noted deficiencies in the documentation maintained to support a number of the overpayments\n        tested. In certain situations, system limitations cause historic data to be overwritten. Consequently, we were\n        unable to reconstruct the overpayment amount for a number of sample items due to this limitation.\n\n        The lack of documentation to support the overpayments impacts the Agency\xe2\x80\x99s ability to meet its fiduciary\n        duties to protect the assets of the trust funds and government general fund and support the accounts\n        receivable balance on its financial statements.\n\nRecommendations\nIn order to mitigate the risks of the issues noted in the significant deficiency, management should:\n\nCDRs\n  \xe2\x80\xa2 Enforce existing policies and procedures around documentation of CDRs.\n        \xe2\x80\xa2        Enhance enforcement procedures for DDSs which are not completing or documenting CDRs per policies\n                 and procedures.\n\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                       9\n\n\nQuality Assurance\n   \xe2\x80\xa2 Enhance policies over QA to clearly define when a reviewer should document and provide feedback to\n       users.\n        \xe2\x80\xa2        Enforce existing policies and procedures and continue training over the correct completion of a QA\n                 review.\n        \xe2\x80\xa2        Implement procedures to update and verify SSA records outside of the QA systems based upon\n                 information validated during the QA review.\nSSA-93 Forms\n   \xe2\x80\xa2 Provide training and reminders to encourage timely and appropriate completion of SSA-93 Forms in\n       accordance with SSA guidance.\n        \xe2\x80\xa2        Implement management review in the RO and FO over completed SSA-93 Forms.\n        \xe2\x80\xa2        Include reviews by Headquarters over timeliness and quality of completion of SSA-93s Forms.\nOverpayments\n   \xe2\x80\xa2 Include procedures in the current On-site Control and Audit Reviews (OSCAR) program for determining\n      whether overpayment information has been completely, accurately, and timely documented by field offices\n      or PSCs within the appropriate systems of record.\n        \xe2\x80\xa2        Implement changes that prevent overpayment information from being overwritten in the system.\n\nIn our opinion, because of the effect of the material weakness described above on the achievement of the\nobjectives of the control criteria, SSA has not maintained effective internal control over financial reporting as of\nSeptember 30, 2012, based on criteria established under FMFIA.\nSpecific disclosure of detailed information about these exposures might further compromise controls and are\ntherefore not provided within this report. Rather, the specific details of deficiencies noted are presented in a\nseparate, limited-distribution Management Letter.\nWe considered the material weakness identified above in determining the nature, timing, and extent of audit tests\napplied in our audit of the 2012 financial statements, and this report does not affect the report above, which\nexpressed an unqualified opinion.\n\nREPORT ON COMPLIANCE AND OTHER MATTERS\nThe management of SSA is responsible for compliance with laws and regulations. As part of obtaining reasonable\nassurance about whether the basic financial statements are free of material misstatement, we performed tests of\ncompliance with laws and regulations, including laws governing the use of budgetary authority, government-wide\npolicies and laws identified in Appendix E of OMB Bulletin No. 07-04 as amended, and other laws and\nregulations, noncompliance with which could have a direct and material effect on the financial statements. Under\nthe Federal Financial Management Improvement Act of 1996 (FFMIA), we are required to report whether the SSA\xe2\x80\x99s\nfinancial management systems substantially comply with the Federal financial management systems requirements,\napplicable Federal accounting standards, and the United States Government Standard General Ledger at the\ntransaction level. To meet this requirement, we performed tests of compliance with FFMIA section 803(a)\nrequirements.\n\nWe did not test compliance with all laws and regulations applicable to SSA. We limited our tests of compliance to\nthe provisions of laws and regulations cited in the preceding paragraph of this report. Providing an opinion on\ncompliance with those provisions was not an objective of our audit and, accordingly, we do not express such an\nopinion.\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c                                                                                                                  10\n\n\nThe results of our test of compliance disclosed no instances of noncompliance with laws and regulations or other\nmatters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 07-04 as\namended and no instances of substantial noncompliance that are required to be reported under FFMIA.\n\nOTHER INFORMATION\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 5 through 52 and the Required\nSupplementary Information (RSI) included on pages 151 through 162 of this PAR are not a required part of the\nbasic financial statements but are supplementary information required by the Federal Accounting Standards\nAdvisory Board and OMB Circular A-136, Financial Reporting Requirements. This required supplementary\ninformation is the responsibility of management. We have applied certain limited procedures to the required\nsupplementary information in accordance with auditing standards generally accepted in the United States of\nAmerica established by the American Institute of Certified Public Accountants. These limited procedures consisted\nof inquiries of management about the methods of preparing the information and comparing the information for\nconsistency with management\xe2\x80\x99s responses to our inquiries, the basic financial statements, and other knowledge we\nobtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance\non the information because the limited procedures do not provide us with sufficient evidence to express an\nopinion or provide any assurance.\nOur audits were conducted for the purpose of forming an opinion on the basic financial statements taken as a\nwhole. The Schedule of Budgetary Resources included on page 149 of this PAR is supplementary information\nrequired by OMB Circular No. A-136, Financial Reporting Requirements. This schedule and the consolidating and\ncombining information included on pages 145 to 148 of this PAR are not a required part of the basic financial\nstatements. Such supplementary information is the responsibility of management and was derived from and\nrelates directly to the underlying accounting and other records used to prepare the basic financial statements. The\ninformation has been subjected to the auditing procedures applied in the audit of the basic financial statements and\ncertain additional procedures. These additional procedures included comparing and reconciling the information\ndirectly to the underlying accounting and other records used to prepare the basic financial statements or to the\nbasic financial statements themselves, and other additional procedures in accordance with auditing standards\ngenerally accepted in the United States of America established by the American Institute of Certified Public\nAccountants. In our opinion, the supplementary information is fairly stated, in all material respects, in relation to\nthe basic financial statements as a whole.\n\nThe Commissioner\xe2\x80\x99s Message on page 1 and the other accompanying information included on pages 2 through 4,\n53 through 109, 150 and 177 to the end of this PAR, is presented for purposes of additional analysis and is not a\nrequired part of the basic financial statements. Such information has not been subjected to the auditing\nprocedures applied in the audit of the basic financial statements, and accordingly, we express no opinion on it.\n\nOur report is intended solely for the information and use of management of SSA, the Office of the Inspector\nGeneral, the OMB, the Government Accountability Office, and Congress and is not intended to be and should\nnot be used by anyone other than these specified parties.\n\n\n\n\nAlexandria, Virginia\nNovember 8, 2012\n\n\n\n\nGrant Thornton LLP\nU.S. member firm of Grant Thornton International Ltd\n\x0c"